Hello all,
so my company needed to change a router and replace it with an 880 cisco router.
the architecture is very easy, Two interfaces: one for LAN and the other for the WAN.
i had to create a VLAN for the FE0 interface, cause I couldn't turn it on due to some L2 compability or smth like that. Never the less, I connected the interfaces and the internet worked. the issue is that with the old router I had a 60mb/s for bandwith, and with the cisco i got only 6Mb/s !!! whcih is a big loss of performance.
well the config i copied it from: https://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
and it's like this:
VPN#show run
Building configuration...
Current configuration : 2170 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!
!--- Enable authentication, authorization and accounting (AAA) !--- for user authentication and group authorization.
aaa new-model
!
!--- In order to enable Xauth for user authentication, !--- enable the aaa authentication commands.
aaa authentication login userauthen local
!--- In order to enable group authorization, enable !--- the aaa authorization commands.
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!--- For local authentication of the IPsec user, !--- create the user with a password.
username user password 0 cisco
!
!
!
!--- Create an Internet Security Association and !--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!--- Create a group that is used to specify the !--- WINS and DNS server addresses to the VPN Client, !--- along with the pre-shared key for authentication. Use ACL 101 used for !--- the Split tunneling in the VPN Clinet end.
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
!--- Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create a dynamic map and apply !--- the transform set that was created earlier.
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!--- Create the actual crypto map, !--- and apply the AAA lists that were created earlier.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FE0
switchport mode access
switch port access VLAN 100
half-duplex
!--- Apply the crypto map on the outbound interface.
interface FE4
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan 100
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!--- Create a pool of addresses to be !--- assigned to the VPN Clients.
! ip local pool ippool 192.168.1.1 192.168.1.2
ip http server
no ip http secure-server
! ip route 0.0.0.0 0.0.0.0 172.16.1.2
!--- Enables Network Address Translation (NAT) !--- of the inside source address that matches access list 111 !--- and gets PATed with the FastEthernet IP address.
ip nat inside source list 111 interface FastEthernet 4 overload !
!--- The access list is used to specify which traffic !--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 permit ip any any
!--- Configure the interesting traffic to be encrypted from the VPN Client !--- to the central site router (access list 101). !--- Apply this ACL in the ISAKMP configuration.
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 control-plane ! line con 0 line aux 0 line vty 0 4 ! end
If anyone could help I'll be grateful.
Thanks for your time
